Some old features of WordPress could be not important in the current time; one of these features is XML-RPC that you need to disable it now to protect your site.
XML-RPC was a very useful feature of WordPress in the 1990s, this tool allowed site owners to remotely publish content to their site, but over the years it turned to weakness point.
What Is XML-RPC?
XML-RPC is a feature that enables sending data from any device to a WordPress site. Using this feature, you can make a remote connection with your site using a smartphone.
This feature was important when the internet speed was low, users found it faster and easier to write their content offline and publish it all together using this feature.
Why do you need to Disable XML-RPC?
Nowadays there’s no need for this tool even most users aren’t aware that it exists. But in 2015, vulnerability appeared with WordPress XML-RPC. This allowed hackers to exploit the XML-RPC feature to try to break into WordPress sites.
This problem was solved by an update, and any site running on version 4.4.1 or higher is immune to this hack. But millions of sites running on outdated versions of WordPress that make them vulnerable to XML-RPC hacks.
If you have an old version of WordPress, you should update it. And If you run a WordPress website and don’t need to publish content remotely, it’s best to disable this feature.
How to Disable XML-RPC in WordPress?
Method 1: Disabling XML-RPC with a plugin
- Login to your wp-admin dashboard and go to ‘Plugins’.
- Here, click on ‘Add New”.
- Next, using the search bar, look for ‘Disable XML-RPC’. You should see the following plugin in the results:
Install and activate the Disable XML-RPC plugin. The XML-RPC feature will be disabled once you activate the plugin. This plugin will work on any WordPress site running on version 3.5 and above.
Method 2: Disabling XML-RPC Manually
You can Disable XML-RPC Manually by accessing your WordPress files, but before that take a backup of your website.
- login to your hosting platform account.
- From Cpanel access ‘File Manager’.
- in File Manager, your website’s folders should be under the folder named ‘public_html’. Here, you’ll see three main folders – wp-admin, wp-content, and wp-includes.
You should see a file named ‘htaccess’ here. If you don’t, you can use the search bar on the top-right of the screen to look for it.
- Open the .htaccess file by right-clicking and choosing ‘Edit’.
- To restrict access of XML-RPC, paste the following code to this file:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>
**In the 5th line ‘allow from xxx.xxx.xxx.xxx’, replace the x’s with your IP address, if you would like to retain XML-RPC from a particular IP. Otherwise, you can simply delete this line.
- Save changes and close the file. The code disables XML-RPC.
